The accelerating pace of change in manufacturing technology is expected to have a dramatic impact on the breadth and complexity of the cyber risks manufacturers will need to address over the next decade. To understand what companies can do about this risk Deloitte and MAPI released the Cyber Risk in Advanced Manufacturing study.
The study found that the manufacturing industry is likely to see increased application of technology due to emerging trends, such as:
• Large scale investments in intellectual property (IP) and exponential technologies
• Exploration of industry 4.0 digital manufacturing opportunities and increased interconnectivity of the industrial ecosystem
• Rapid adoption of sensor technology, smart products, and Internet of Things (IoT) strategies and analytics to drive increased customer service and business efficiency
In the survey half of the executives said they lack confidence that they are protected from external threats. In looking at how companies can address the risk, six key cyber risk themes emerged in the study as critical to manufacturers’ abilities to both address the risk as well as capture the value associated with the new frontier of technology, They are:
- -Executive and board engagement
- -Talent and human capital
- -Intellectual property
- -Industrial control systems
- -Connected products
- -Industrial ecosystem
The study reccomends companies ask these questions to determine which action steps they should puruse:
- How do we demonstrate due diligence, ownership, and effective management of cyber risk? Are risk maps developed to show the current risk profile, as well as timely identifying emerging risks we should get ahead of?
- Do we have the right leadership and organizational talent? Beyond enterprise systems, who is leading key cyber initiatives related to ICS and connected products?
- Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?
- Are we focused on, and investing in, the right things? And, if so, how do we evaluate and measure the results of our decisions?
- How do our cyber risk program and capabilities align to industry standards and peer organizations?
- How do our awareness programs create cyber-focused mindset and cyber-conscious culture organization wide? Are awareness programs tailored to address special considerations for high-risk employee groups handling sensitive intellectual property, ICS, or connected products?
- What have we done to protect the organization against third-party cyber risks?
- Can we rapidly contain damages and mobilize response resources when a cyber incident occurs? How is our cyber incident response plan tailored to address the unique risks in ICS and connected products?
- How do we evaluate the effectiveness of our organization’s cyber risk program?
- Are we a strong and secure link in the highly connected ecosystems in which we operate?
The authors of the study suggest that manufacturers take the following ten steps:
1. Set the tone. The CISO cannot be an army of one. He or she needs to be appropriately supported by the leadership team and management to accomplish key cyber risk objectives for the company.
2. Assess risk broadly. Perform a cyber risk assessment that includes the enterprise, ICS, and connected product, and ensure any recent assessments were inclusive of advanced manufacturing cyber risks such as IP protection, ICS, connected products, and third-party risks related to industrial ecosystem relationships.
3. Socialize the risk profile. Share the results of the enterprise cyber risk assessment, and recommended strategy and roadmap with executive leadership and the board. Engage in dialogue as a team related to the business impact of key cyber risks, and prioritize resource allocation to address risks commensurate with the organization’s risk tolerance, risk posture, and capability for relevant business impact.
4. Build in security. Evaluate top business investments in emerging manufacturing technologies, IoT, and connected products, and confirm whether those projects are harmonized with the cyber risk program. Determine whether cyber talent is resident on those project teams to help them build in cyber risk management and fail-safe strategies on the front end.
5. Remember data is an asset. It is important to change the mindset in manufacturing from a transactional mindset to the fact certain data alone may be an asset. This likely necessitates a tighter connection between business value associated with data and the strategies used to protect it.
6. Assess third-party risk. Inventory mission-critical industrial ecosystem relationships, and evaluate strategies to address the third-party cyber risks that may coincide with these relationships.
7. Be vigilant with monitoring. Be vigilant in evaluating, developing, and implementing the company’s cyber threat monitoring capabilities to determine whether and how quickly a breach in key areas of the company would be detected.
8. Always be prepared. Increase organizational resiliency by focusing on incident and breach preparedness through table-top or wargaming simulations. Engage IT as well as key business leaders in this exercise.
9. Clarify organizational responsibilities. Be crystal clear with the executive leadership team on the organizational ownership responsibilities for key components of the cyber risk program, and make sure there is a clear leader on the team with responsibilities to bring it all together.
10. Drive increased awareness. Get employees on board. Make sure they are appropriately aware of their responsibilities to help mitigate cyber risks related to phishing or social engineering, protecting IP, and sensitive data, and appropriate escalation paths to report unusual activity or other areas of concern.